[{"author": "Shivan Sahib", "text": "

Hi all!

", "time": "2023-03-27T04:00:08Z"}, {"author": "Michael B", "text": "

I'm happy to do notes

", "time": "2023-03-27T04:00:49Z"}, {"author": "Christopher Patton", "text": "

Thank you Michael

", "time": "2023-03-27T04:00:56Z"}, {"author": "Tim Geoghegan", "text": "

+1, much appreciated, Michael!

", "time": "2023-03-27T04:01:59Z"}, {"author": "Christopher Patton", "text": "

Thanks Ben for the advert of other sessions!

", "time": "2023-03-27T04:05:06Z"}, {"author": "Christopher Patton", "text": "

*one helper!!

", "time": "2023-03-27T04:19:26Z"}, {"author": "Christopher Patton", "text": "

ccccccvvcglvtkutcttdunljrdhftbtjrihcekuindtj

", "time": "2023-03-27T04:19:42Z"}, {"author": "Matthew Finkel", "text": "

Okay, good, that was going to be my question

", "time": "2023-03-27T04:19:46Z"}, {"author": "Melinda Shore", "text": "

still quiet

", "time": "2023-03-27T04:20:25Z"}, {"author": "Melinda Shore", "text": "

there we go

", "time": "2023-03-27T04:20:36Z"}, {"author": "Daniel Gillmor", "text": "

Christopher Patton said:

\n
\n

ccccccvvcglvtkutcttdunljrdhftbtjrihcekuindtj

\n
\n

yubikey?

", "time": "2023-03-27T04:26:04Z"}, {"author": "Shivan Sahib", "text": "

that was my guess

", "time": "2023-03-27T04:26:26Z"}, {"author": "Brian Trammell", "text": "

that or a relatively small cat

", "time": "2023-03-27T04:26:43Z"}, {"author": "Shivan Sahib", "text": "

Shouldn't that be *Less Aggregators => Weaker trust model?

", "time": "2023-03-27T04:27:14Z"}, {"author": "Shivan Sahib", "text": "

*fewer Aggregators

", "time": "2023-03-27T04:27:19Z"}, {"author": "Tim Geoghegan", "text": "

Weaker in the sense of less trust in each aggregator, I think

", "time": "2023-03-27T04:27:34Z"}, {"author": "Amelia Andersdotter", "text": "

risk is more spread out

", "time": "2023-03-27T04:27:44Z"}, {"author": "Brian Trammell", "text": "

ekr's mic isn't on

", "time": "2023-03-27T04:28:58Z"}, {"author": "Christopher Patton", "text": "

+1 Tim

", "time": "2023-03-27T04:35:54Z"}, {"author": "Christopher Patton", "text": "

\"weaker\" as in \"weaker assumptions\" :)

", "time": "2023-03-27T04:36:08Z"}, {"author": "Martin Thomson", "text": "

This seems like a pretty strict improvement over the star arrangement; is it not possible to build this system with more nodes, at a cost of having to have helpers broadcast also.

", "time": "2023-03-27T04:39:08Z"}, {"author": "Samuel Weiler", "text": "

Martin, I'm not quite following you. Try again?

", "time": "2023-03-27T04:40:02Z"}, {"author": "Eric Rescorla", "text": "

Well of having all of the helpers authenticate to each toher

", "time": "2023-03-27T04:40:34Z"}, {"author": "Eric Rescorla", "text": "

Which seems like a pretty bad regression

", "time": "2023-03-27T04:40:40Z"}, {"author": "Amelia Andersdotter", "text": "

Is it still a distributed aggregation protocol if you have only 1 helper?

", "time": "2023-03-27T04:41:53Z"}, {"author": "Tim Geoghegan", "text": "

It's possible it could work (modulo ekr's concern about distributing enough tokens for everything to client auth to everything else) but I worry about how all the aggregators would agree to move to the next round

", "time": "2023-03-27T04:42:13Z"}, {"author": "Amelia Andersdotter", "text": "

Emphasis on distributed

", "time": "2023-03-27T04:42:17Z"}, {"author": "Benjamin Schwartz", "text": "

\"Divided Aggregation Protocol\"

", "time": "2023-03-27T04:42:21Z"}, {"author": "Benjamin Schwartz", "text": "

Are there any VDAFs under consideration with ROUNDS > 2?

", "time": "2023-03-27T04:44:04Z"}, {"author": "Tim Geoghegan", "text": "

Not that I know of

", "time": "2023-03-27T04:44:37Z"}, {"author": "Christopher Patton", "text": "

dang, ran out of time!

", "time": "2023-03-27T04:44:59Z"}, {"author": "Amelia Andersdotter", "text": "

I wonder if the current DAP design rationale could have been motivated by achieving distribution (e.g. the robustness trade-off described earlier: is protection against a malicious aggregator a meaningful protection for a privacy-seeking end-user in the context of metrics transported via DAP?).

", "time": "2023-03-27T04:45:01Z"}, {"author": "Amelia Andersdotter", "text": "

But \"divided\" is also good. \"Double-something\" could also work.

", "time": "2023-03-27T04:45:59Z"}, {"author": "Amelia Andersdotter", "text": "

Dual.

", "time": "2023-03-27T04:46:10Z"}, {"author": "Martin Thomson", "text": "

@Benjamin Schwartz I think that you can build the two things to run in separate requests if you care about that

", "time": "2023-03-27T04:54:46Z"}, {"author": "Christopher Patton", "text": "

oh interesting tim

", "time": "2023-03-27T04:57:29Z"}, {"author": "Shivan Sahib", "text": "

yeah that is interesting!

", "time": "2023-03-27T04:57:35Z"}, {"author": "Shivan Sahib", "text": "

didn't think of that

", "time": "2023-03-27T04:57:49Z"}, {"author": "Benjamin Schwartz", "text": "

It makes me wonder about things like: does this require the helpers to become both HTTP servers and clients, vs. only acting as HTTP servers.

", "time": "2023-03-27T04:58:04Z"}, {"author": "Tim Geoghegan", "text": "

No, the helper is still the only HTTP server

", "time": "2023-03-27T04:58:24Z"}, {"author": "Tim Geoghegan", "text": "

Here is the pull request I mentioned: https://github.com/ietf-wg-ppm/draft-ietf-ppm-dap/pull/393

", "time": "2023-03-27T04:58:48Z"}, {"author": "Shivan Sahib", "text": "

+1 to taking some measurements

", "time": "2023-03-27T04:59:40Z"}, {"author": "Christopher Patton", "text": "

I'm OK moving forward; I'm happy to help with measurements if that's the decision

", "time": "2023-03-27T05:02:39Z"}, {"author": "Christopher Patton", "text": "

Yes, thank you EKR!

", "time": "2023-03-27T05:03:08Z"}, {"author": "Brandon Pitman", "text": "

+1 to measurements if desired, though our current data suggests that aggregation evaluation time will be dominated by the network round trips (at least for some VDAFs)

", "time": "2023-03-27T05:03:34Z"}, {"author": "Martin Thomson", "text": "

I think that the 1:1 setup makes reasoning about server/client roles easier.

", "time": "2023-03-27T05:04:24Z"}, {"author": "Martin Thomson", "text": "

Pay attention people, there will be a test after this

", "time": "2023-03-27T05:05:19Z"}, {"author": "Shivan Sahib", "text": "

given how many times we've done STAR presentations in this WG I don't think it's necessarily true people are less familiar with STAR than DAP ;)

", "time": "2023-03-27T05:06:10Z"}, {"author": "Christopher Patton", "text": "

+1 :)

", "time": "2023-03-27T05:06:24Z"}, {"author": "Shivan Sahib", "text": "

we have quite a bit of time no?

", "time": "2023-03-27T05:15:06Z"}, {"author": "Samuel Weiler", "text": "

We have until ~X:40 for STAR, in total.

", "time": "2023-03-27T05:15:34Z"}, {"author": "Samuel Weiler", "text": "

The question is how much time we want for discussion (of adoption) v. presentation of these results. Feel free to opine on that.

", "time": "2023-03-27T05:16:17Z"}, {"author": "Martin Thomson", "text": "

That sounds like exactly what someone building a malicious input would choose to do

", "time": "2023-03-27T05:16:39Z"}, {"author": "Shivan Sahib", "text": "

I think my slides won't take that much time, so if folks have qs about measurements then it's fine to spend time on that

", "time": "2023-03-27T05:17:34Z"}, {"author": "Eric Rescorla", "text": "

I'm going to have some questions :)

", "time": "2023-03-27T05:18:23Z"}, {"author": "Matthew Finkel", "text": "

k=128 seems super small

", "time": "2023-03-27T05:18:31Z"}, {"author": "Christopher Patton", "text": "

maybe depends on the data set?

", "time": "2023-03-27T05:19:18Z"}, {"author": "Shivan Sahib", "text": "

@Matthew Finkel it depends on the application

", "time": "2023-03-27T05:19:21Z"}, {"author": "Eric Rescorla", "text": "

@Christopher Patton how sensitive is Poplar to the threshold

", "time": "2023-03-27T05:19:34Z"}, {"author": "Daniel Gillmor", "text": "

in those bar charts, what do the widths of each bar represent?

", "time": "2023-03-27T05:19:48Z"}, {"author": "Shivan Sahib", "text": "

Poplar is sensitive to the input size

", "time": "2023-03-27T05:20:42Z"}, {"author": "Eric Rescorla", "text": "

awesomeness

", "time": "2023-03-27T05:20:44Z"}, {"author": "Eric Rescorla", "text": "

My question isn't about input size, but about the popularity you are trying to measure

", "time": "2023-03-27T05:21:03Z"}, {"author": "Shivan Sahib", "text": "

@Samuel Weiler 10 mins for my slides should be good!

", "time": "2023-03-27T05:24:35Z"}, {"author": "Tim Geoghegan", "text": "

We apologise sincerely for shipping a Poplar1 implementation in a library called \"libprio\"

", "time": "2023-03-27T05:25:07Z"}, {"author": "Eric Rescorla", "text": "

My intuition here is that for most reasonable rates of tainted submissions, you won't need that many verifications

", "time": "2023-03-27T05:27:36Z"}, {"author": "Eric Rescorla", "text": "

For instance, say you have a (very high) taint rate of 1% and k=128

", "time": "2023-03-27T05:27:53Z"}, {"author": "Eric Rescorla", "text": "

You accumulate 128 values, of which about 12 are tainted, so the reconstruction fails, and then you run the verification once, which gives you 116 valid values.

", "time": "2023-03-27T05:28:35Z"}, {"author": "Eric Rescorla", "text": "

you then accumulate 12 more, of which about 1-2 are damaged, so this fails

", "time": "2023-03-27T05:28:45Z"}, {"author": "Eric Rescorla", "text": "

Now you have to verify again, which kicks out those 1-2

", "time": "2023-03-27T05:28:56Z"}, {"author": "Eric Rescorla", "text": "

And now you have 126 values, and then you pull in 2 more, and most likely none of them will be damaged

", "time": "2023-03-27T05:29:26Z"}, {"author": "Eric Rescorla", "text": "

So in this case you are doing two verification passes

", "time": "2023-03-27T05:29:32Z"}, {"author": "Samuel Weiler", "text": "

Until the tainting is due to implementation error rather than malice...

", "time": "2023-03-27T05:30:13Z"}, {"author": "Christopher Patton", "text": "

How do blind signatures help with bad ciphertexts?

", "time": "2023-03-27T05:30:27Z"}, {"author": "Christopher Patton", "text": "

that sounds reasonable

", "time": "2023-03-27T05:31:32Z"}, {"author": "Christopher Wood", "text": "

@Christopher Patton you can verify that the measurement encrypted \"matches\" the secret shared key

", "time": "2023-03-27T05:31:43Z"}, {"author": "Christopher Patton", "text": "

got it. nice idea

", "time": "2023-03-27T05:33:37Z"}, {"author": "Christopher Wood", "text": "

But it requires the signature scheme to be deterministic, which is an additional complication.

", "time": "2023-03-27T05:34:02Z"}, {"author": "Martin Thomson", "text": "

Those are very low entropy inputs

", "time": "2023-03-27T05:39:42Z"}, {"author": "Martin Thomson", "text": "

I think that you will find that Prio will be faster for very small histograms

", "time": "2023-03-27T05:40:55Z"}, {"author": "Christopher Wood", "text": "

+1 -- Prio is incredibly fast.

", "time": "2023-03-27T05:41:07Z"}, {"author": "Martin Thomson", "text": "

Let's say that you are counting from a relatively small space from a space X, you can submit |X| Boolean values to Prio3Sum. An L1 bound on that input is very easy to produce a SNIP for.

", "time": "2023-03-27T05:42:45Z"}, {"author": "Martin Thomson", "text": "

Performance for that circuit would be extremely fast, even relative to STAR

", "time": "2023-03-27T05:44:06Z"}, {"author": "Christopher Patton", "text": "

Privacy Pass!

", "time": "2023-03-27T05:44:27Z"}, {"author": "Eric Rescorla", "text": "

@Martin Thomson yes, but I think STAR is also insecure in that case because of the oracle issue

", "time": "2023-03-27T05:44:46Z"}, {"author": "Eric Rescorla", "text": "

Which was maybe your point

", "time": "2023-03-27T05:45:03Z"}, {"author": "Martin Thomson", "text": "

absolutely. If you have X being easily enumerable, you have to make |X| queries of the OPRF

", "time": "2023-03-27T05:45:20Z"}, {"author": "Christopher Wood", "text": "

@Eric Rescorla to clarify, the oracle issue is the dictionary attack, right?

", "time": "2023-03-27T05:45:23Z"}, {"author": "Sofia Celi", "text": "

so, one thing to note is that many organizations and projects do not have access to non-colluding servers

", "time": "2023-03-27T05:45:26Z"}, {"author": "Sofia Celi", "text": "

which POPLAR and Prio both need

", "time": "2023-03-27T05:45:37Z"}, {"author": "Christopher Wood", "text": "

@Sofia Celi doesn't STAR require non-colluding servers (OHTTP)?

", "time": "2023-03-27T05:45:46Z"}, {"author": "Sofia Celi", "text": "

randomness can be derived locally

", "time": "2023-03-27T05:46:00Z"}, {"author": "Benjamin Schwartz", "text": "

Also the randomness server

", "time": "2023-03-27T05:46:02Z"}, {"author": "Tim Geoghegan", "text": "

Or the randomness oracle?

", "time": "2023-03-27T05:46:04Z"}, {"author": "Sofia Celi", "text": "

those servers are also not difficult to mantain.. they don't communicate with each other

", "time": "2023-03-27T05:46:18Z"}, {"author": "Christopher Wood", "text": "

EVen ignoring the randomness server, STAR still requires a proxy of sorts, and that's non-collusion.

", "time": "2023-03-27T05:46:23Z"}, {"author": "Sofia Celi", "text": "

what is the model of non-colluding server in Prio and POPLAR: pay for usage?

", "time": "2023-03-27T05:46:36Z"}, {"author": "Sofia Celi", "text": "

are they going to be publically available to all for use?

", "time": "2023-03-27T05:46:48Z"}, {"author": "Sofia Celi", "text": "

because setting a randomness server is cheap and serve many.

", "time": "2023-03-27T05:47:10Z"}, {"author": "Sofia Celi", "text": "

is Prio and POPLAR only for the ones that can afford?

", "time": "2023-03-27T05:47:22Z"}, {"author": "Martin Thomson", "text": "

@Sofia Celi usually people pay to run infrastructure that provides them with information they care about; Mozilla pays for its telemetry servers

", "time": "2023-03-27T05:48:50Z"}, {"author": "Christopher Patton", "text": "

Can we be more concrete about the Sybil attack? Does it lead to linking a client to the measurement they submitted?

", "time": "2023-03-27T05:48:53Z"}, {"author": "Christopher Wood", "text": "

Can someone summarize the outcome here?

", "time": "2023-03-27T05:48:54Z"}, {"author": "Tim Geoghegan", "text": "

The hope is that there will be free DAP operators and paid DAP operators, analogously to how there are some free TLS CAs out there

", "time": "2023-03-27T05:49:08Z"}, {"author": "Eric Rescorla", "text": "

@Christopher Patton yes in the absence of the proxy. No if the proxy is htere

", "time": "2023-03-27T05:49:10Z"}, {"author": "Sofia Celi", "text": "

@Martin Thomson and how much is that payment? how you measured it?

", "time": "2023-03-27T05:49:15Z"}, {"author": "Christopher Patton", "text": "

@EKR then I am less concrened about the attack. I think proxy is mandatory for STAR anyway

", "time": "2023-03-27T05:49:36Z"}, {"author": "Christopher Patton", "text": "

at least I've been thinking of it htat way

", "time": "2023-03-27T05:49:43Z"}, {"author": "Martin Thomson", "text": "

@Sofia Celi I don't know exactly how much we pay, but it is justified on the basis that we couldn't collect the data any other way

", "time": "2023-03-27T05:49:44Z"}, {"author": "Sofia Celi", "text": "

OPRF-like servers already exist for things like privacy pass and many other applications. The same for proxys

", "time": "2023-03-27T05:50:09Z"}, {"author": "Eric Rescorla", "text": "

@Christopher Patton I don't think it's really a sybil attack, but in any case, the question is whether a given value is in the set

", "time": "2023-03-27T05:50:13Z"}, {"author": "Amir Omidi", "text": "

Audio coming well remotely

", "time": "2023-03-27T05:50:14Z"}, {"author": "Eric Rescorla", "text": "

Note that if you think the proxy is enough, then you don't need STAR at all, just OHTTP

", "time": "2023-03-27T05:50:34Z"}, {"author": "Shivan Sahib", "text": "

STAR does require non-colluding servers: aggregation and randomness.

", "time": "2023-03-27T05:50:45Z"}, {"author": "Sofia Celi", "text": "

then what is asking is that any small organization will also have to pay that fee. That is not a thing a lot of them can do. So it will privacy for the ones that can afford @Martin Thomson

", "time": "2023-03-27T05:50:51Z"}, {"author": "Eric Rescorla", "text": "

The point of STAR is to conceal the values for any number of reports less than |k|

", "time": "2023-03-27T05:50:59Z"}, {"author": "Christopher Patton", "text": "

@Shivan I would also add the proxy to that list of non-colluding entities. of course you could have the proxy also run the OPRF server

", "time": "2023-03-27T05:51:17Z"}, {"author": "Martin Thomson", "text": "

@Sofia Celi Presumably a smaller organization will have costs proportional to their size

", "time": "2023-03-27T05:51:22Z"}, {"author": "Eric Rescorla", "text": "

@Sofia Celi even with conventional telemetry you still need to pay to run the servers that record the data

", "time": "2023-03-27T05:51:37Z"}, {"author": "Sofia Celi", "text": "

so the use case for me is that many small orgs will not have the ability to pay the fee for Prio and POPLAR. So, the ones that cannot afford can have the alternative as STAR

", "time": "2023-03-27T05:52:01Z"}, {"author": "Martin Thomson", "text": "

MPC will obviously cost more than operating in the clear, but the point of the systems here is that the cost increment is small

", "time": "2023-03-27T05:52:14Z"}, {"author": "Shivan Sahib", "text": "

a caveat on the non-collusion in STAR is that if the Agg and Randomness servers collude, then that's effectively \"Simple STAR\" i.e. you're dependent on the input space for the measurements

", "time": "2023-03-27T05:52:19Z"}, {"author": "Sofia Celi", "text": "

@Martin Thomson is there any research on that? or is that the hope?

", "time": "2023-03-27T05:52:21Z"}, {"author": "Matthew Finkel", "text": "

Are there already known concrete costs for using DAP?

", "time": "2023-03-27T05:53:04Z"}, {"author": "Christopher Patton", "text": "

@Matthew these could be produced pretty readily.

", "time": "2023-03-27T05:53:27Z"}, {"author": "Martin Thomson", "text": "

I think that cost of protocols is a key consideration of many of the papers; Prio and Poplar papers talk about compute and networking costs at some length

", "time": "2023-03-27T05:53:28Z"}, {"author": "Eric Rescorla", "text": "

I don't think any you'd want to hang your hat on

", "time": "2023-03-27T05:53:29Z"}, {"author": "Martin Thomson", "text": "

I'm fairly sure that the EENPA folks can probably talk about costs at some level, though maybe not in fine detail

", "time": "2023-03-27T05:53:59Z"}, {"author": "Matthew Finkel", "text": "

Ack. Just seems surprising to justify standardizing another protocol based on costs that aren't known yet

", "time": "2023-03-27T05:54:32Z"}, {"author": "Christopher Patton", "text": "

@matthew I think it would be useful if we could be more concrete about what we mean by \"cost\".

", "time": "2023-03-27T05:55:13Z"}, {"author": "Sofia Celi", "text": "

I think we can actually have a presentation from Brave about what financial costs an small org can actually have. I think that might not be in the mental model of big orgs. It shouldn't be that only ones that can afford, have privacy

", "time": "2023-03-27T05:55:21Z"}, {"author": "Christopher Patton", "text": "

There is (1) bits sent on the wire; (2) CPU cost; etc.

", "time": "2023-03-27T05:55:30Z"}, {"author": "Benjamin Schwartz", "text": "

The STAR vs. Poplar CPU costs seem clear enough, but I haven't heard of any use cases that really would use Poplar (rather than Prio) in the absence of STAR.

", "time": "2023-03-27T05:55:43Z"}, {"author": "Matthew Finkel", "text": "

Sofia Celi said:

\n
\n

so the use case for me is that many small orgs will not have the ability to pay the fee for Prio and POPLAR. So, the ones that cannot afford can have the alternative as STAR

\n
\n

:up:

", "time": "2023-03-27T05:55:49Z"}, {"author": "Eric Rescorla", "text": "

@Benjamin Schwartz we have a number

", "time": "2023-03-27T05:56:02Z"}, {"author": "Eric Rescorla", "text": "

Sofia Celi said:

\n
\n

so the use case for me is that many small orgs will not have the ability to pay the fee for Prio and POPLAR. So, the ones that cannot afford can have the alternative as STAR

\n
\n

I don't follow this argument. Is STAR-VSS significantly faster than Prio?

", "time": "2023-03-27T05:57:40Z"}, {"author": "Sofia Celi", "text": "

it is cheaper

", "time": "2023-03-27T05:58:13Z"}, {"author": "Eric Rescorla", "text": "

Would be very interested in seeing some data ont hat

", "time": "2023-03-27T05:58:27Z"}, {"author": "Sofia Celi", "text": "

does not need you to use an expensive set of aggregation servers that perform costly operations, and have to communicate with each other

", "time": "2023-03-27T05:58:48Z"}, {"author": "Sofia Celi", "text": "

we have data. It is in the STAR paper @Eric Rescorla

", "time": "2023-03-27T05:59:01Z"}, {"author": "Eric Rescorla", "text": "

That data didn't have verification

", "time": "2023-03-27T05:59:14Z"}, {"author": "Martin Thomson", "text": "

But you have expensive OPRF servers and you can't pretend that the validation is free.

", "time": "2023-03-27T05:59:18Z"}, {"author": "Sofia Celi", "text": "

OPRFs computation is not expensive and we have them already for privacy pass and more

", "time": "2023-03-27T05:59:46Z"}, {"author": "Eric Rescorla", "text": "

Yeah, I don't follow: the compute has to be done somewhere, and whether it's done via your raw compute in the cloud or with some aggregation services.

", "time": "2023-03-27T05:59:48Z"}, {"author": "Sofia Celi", "text": "

there is nothing extra there needed.

", "time": "2023-03-27T05:59:55Z"}, {"author": "Eric Rescorla", "text": "

Well, it doesn't seem like it's the OPRF that's the issue but rather the verification

", "time": "2023-03-27T06:00:03Z"}, {"author": "Shivan Sahib", "text": "

that is correct

", "time": "2023-03-27T06:00:21Z"}, {"author": "Sofia Celi", "text": "

verification does not add to financial costs.. can you clarify how it will add? @Eric Rescorla ?

", "time": "2023-03-27T06:00:22Z"}, {"author": "Eric Rescorla", "text": "

Why doesn't it add to the financial costs? You're paying for compute

", "time": "2023-03-27T06:00:41Z"}, {"author": "Sofia Celi", "text": "

randomness can also be computed locally. You don't need an interaction with a OPRF sever. You can hash locally.

", "time": "2023-03-27T06:00:52Z"}, {"author": "Shivan Sahib", "text": "

I'm confused what else is needed at this point

", "time": "2023-03-27T06:01:20Z"}, {"author": "Shivan Sahib", "text": "

is the ask now to do another comparison?

", "time": "2023-03-27T06:01:30Z"}, {"author": "Eric Rescorla", "text": "

My ask was to see an example application of STAR that was compelling compared to the existing things we are already doing.

", "time": "2023-03-27T06:02:02Z"}, {"author": "Martin Thomson", "text": "

The request is to connect use cases to an operating point for STAR, along with a performance evaluation at that point

", "time": "2023-03-27T06:02:15Z"}, {"author": "Eric Rescorla", "text": "

Yes, what MT said

", "time": "2023-03-27T06:02:41Z"}, {"author": "Shivan Sahib", "text": "

I think the specific ask is to have use-cases specifically for STAR-VSS where STAR-VSS > Poplar. Right?

", "time": "2023-03-27T06:02:43Z"}, {"author": "Eric Rescorla", "text": "

Well, or better than Prio, I suppose, but I was surprised to hear that you thought that was possible

", "time": "2023-03-27T06:03:09Z"}, {"author": "Matthew Finkel", "text": "

Seems like one question is whether the WG would be interested in working on a protocol that doesn't provide error recovery, or if those performance gains aren't relevant here

", "time": "2023-03-27T06:03:15Z"}]